mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.

Browse Source 
This is because "notlsv1" used to disable TLSv1.0 only and had no effect
on v1.1/v1.2. so better have an option for each version. This applies both
to "bind" and "server" statements.
This commit is contained in:
Emeric Brun 2012-09-28 19:37:02 +02:00 committed by Willy Tarreau
parent 9faf071acb
commit c0ff4924c0
4 changed files with 71 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/types/listener.h
View File

@ -103,7 +103,9 @@ struct bind_conf {
char *crlfile; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */
int nosslv3; /* disable SSLv3 */
int notlsv1; /* disable TLSv1 */
int notlsv10; /* disable TLSv1.0 */
int notlsv11; /* disable TLSv1.1 */
int notlsv12; /* disable TLSv1.2 */
int prefer_server_ciphers; /* Prefer server ciphers */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */

4
include/types/server.h
View File

@ -175,7 +175,9 @@ struct server {
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
int nosslv3; /* disable SSLv3 */
int notlsv1; /* disable TLSv1 */
int notlsv10; /* disable TLSv1.0 */
int notlsv11; /* disable TLSv1.1 */
int notlsv12; /* disable TLSv1.2 */
} ssl_ctx;
#endif
struct {

38
src/cfgparse.c
View File

@ -4253,9 +4253,31 @@ stats_error_parsing:
goto out;
#endif /* USE_OPENSSL */
}
else if (!strcmp(args[cur_arg], "notlsv1")) {
else if (!strcmp(args[cur_arg], "notlsv10")) {
#ifdef USE_OPENSSL
newsrv->ssl_ctx.notlsv1 = 1;
newsrv->ssl_ctx.notlsv10 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
file, linenum, args[cur_arg]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
#endif /* USE_OPENSSL */
}
else if (!strcmp(args[cur_arg], "notlsv11")) {
#ifdef USE_OPENSSL
newsrv->ssl_ctx.notlsv11 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
file, linenum, args[cur_arg]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
#endif /* USE_OPENSSL */
}
else if (!strcmp(args[cur_arg], "notlsv12")) {
#ifdef USE_OPENSSL
newsrv->ssl_ctx.notlsv12 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@ -6239,6 +6261,12 @@ out_uri_auth_compat:
#endif
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_1 0
#endif
#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_2 0
#endif
if (newsrv->use_ssl) {
int ssloptions =
@ -6265,8 +6293,12 @@ out_uri_auth_compat:
if (newsrv->ssl_ctx.nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
if (newsrv->ssl_ctx.notlsv1)
if (newsrv->ssl_ctx.notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
if (newsrv->ssl_ctx.notlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
if (newsrv->ssl_ctx.notlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);

34
src/ssl_sock.c
View File

@ -450,6 +450,12 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_1 0
#endif
#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_2 0
#endif
#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
#define SSL_OP_SINGLE_DH_USE 0
#endif
@ -476,8 +482,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
if (bind_conf->nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
if (bind_conf->notlsv1)
if (bind_conf->notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
if (bind_conf->notlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
if (bind_conf->notlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
@ -1190,9 +1200,23 @@ static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct
}
/* parse the "notlsv1" bind keyword */
static int bind_parse_notlsv1(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->notlsv1 = 1;
conf->notlsv10 = 1;
return 0;
}
/* parse the "notlsv11" bind keyword */
static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->notlsv11 = 1;
return 0;
}
/* parse the "notlsv12" bind keyword */
static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->notlsv12 = 1;
return 0;
}
@ -1288,7 +1312,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
{ "notlsv1", bind_parse_notlsv1, 0 }, /* disable TLSv1 */
{ "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
{ "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
{ "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */